Signing services are back online! Thank you for your patience.

New compute resources have been provisioned, and the HSM has been connected. This was necessary because the services were previously running in a highly virtualized environment without access to hardware devices. We are now adapting the signing services to use the HSM as the key provider instead of the old keystore. Unfortunately, we no longer have an ETA as we keep encountering unexpected challenges. Thank you for your patience.

The code-signing certificate deployed to production expired on May 21 at 23:59 UTC. Anything built and signed before this date remains valid. However, all signed JAR and PE32 (.exe, .dll) artifacts signed since May 22 are invalid due to the use of the expired certificate.

Efforts to update the certificate are ongoing. This update is not routine, as the secret key must now be stored on a Hardware Security Module (HSM), a new requirement from the codesigning Certificate Authorities. The use of the HSM requires significant effort to implement. We are hopeful to have it back in order by today, EOB (EDT).

Jar signing and PE32 (.exe, .dll) signing services are impacted. We have identified the issue and are working on its resolution.